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DETAILED ACTION 

1. This is in response to the arguments filed on 21 March 2007. 

2. Claims 1, 2, 4, 6, 10, 12, 15, 16, 20, 23, 24, 31, 34, 38, 42, 47, 48, 51, 54-56, 59 and 81-122 
are pending in the application. 

3. Claims 1, 2, 4, 6, 10, 12, 15, 16, 20, 23, 24, 31, 34, 38, 42, 47, 48, 51, 54-56, 59 and 81-122 
have been rejected. 

4. Claims 3, 5, 7-9, 11, 13, 14, 17-19, 21, 22, 25-30, 32, 33, 35-37, 39-41, 43-46, 49, 50, 52, 53, 
57, 58 and 60-80 have been cancelled. 

Response to Arguments 

5. Applicant's arguments filed 21 March 2007 have been fully considered but they are not 
persuasive. 

On page 40, the applicant argues that Mittra does not teach or suggest determining a new 
group session key by replicating a branch of the second binary tree when an additional member 
node joins the multicast group. 

The examiner respectfully disagrees. Mittra discloses once the GSC and the new member 
have authenticated each other and have agreed on a secret the GSC needs to provide the new 
member with information that will allow it to encrypt and/or decrypt the multicast transmission. 
At this point the GSC also needs to change the group key (Kgrp) that provides access to the 
multicast transmissions. This is done to prevent the joining member from decrypting previous 
transmissions to which it should not have access. Once the new Kgrp has been generated by the 
GSC, the current multicast group and the joining member all need to be apprised of the new 
Kgrp. To do this the GSC sends a multicast transmission containing the new Kgrp encrypted 
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using the old Kgrp to the current multicast group telling them to now use the new Kgrp. This 
assumes that all senders are also receivers; if this is not the case, senders that are not also 
receivers need to be notified individually using the separate secure channels the GSC maintains 
with each of the senders. 

On page 41, the applicant argues that Mittra does not teach or suggest the feature of 
representing a plurality of multicast proxy service nodes in a first binary tree, where each node of 
the first binary tree is associated with a domain of a plurality of domains of a directory service 
that is distributed across a wide-area network. The applicant argues that Mittra does not teach or 
suggest creating and storing a second binary tree in a particular domain of the plurality of 
domains, where the second binary tree represents the plurality of member nodes. 

The examiner respectfully disagrees. Mittra discloses the system of FIG. 3 includes a 
combined group security controller and sender (GSC 211), receivers, and TI servers. In this 
arrangement, GSC 211 performs the functions of both GSC 11 and sender 13a of FIG. 2. The 
portion of the FIG. 3 system other than GSC 21 1 is identical to the portion of the FIG. 2 system 
other than GSC 1 1 and senders 13a and 13b. In each embodiment of the inventive system, each 
GSC, TI server, sender, and receiver is a device, and all such devices are programmed in such a 
manner that the system can implement a secure multicast. For example, each receiver, sender, 
GSC, and TI can be a programmed personal computer including a network connection (e.g., to 
the Internet), and each GSC or TI can be a programmed processor including router circuitry. As 
noted, any of such devices may have more than one role at a time (e.g., senders may also be 
receivers, and a GSC may be combined with a sender). In each embodiment of the invention, 
including the embodiment of FIGS. 1, 2, and 3, the "multicast/unicast network" (e.g., 
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multicast/unicast network 112a of FIG. 1) is a general purpose network which provides unicast 
services (and thus supports secure communication over one or more unicast communication 
lines) and also provides multicast services. The inventive "secure multicast" group implemented 
by the FIG. 1 system is controlled by a single group security controller (GSC 111), and the 
inventive "secure multicast" group implemented by each of the systems of FIGS. 2 and 3 is 
controlled by a single group security controller (GSC 11 or 211). In each embodiment of the 
inventive system, the secure multicast group has a hierarchical structure. Each such secure 
multicast group includes sub-groups, with each of the sub-groups being served by a different TI 
server. For convenience, we sometimes refer to each sub-group served by a TI server as a 
M group"(although the overall secure multicast group includes two or more of such sub-groups) 
and we sometimes also refer to the overall secure multicast group simply as a "group." The 
overall secure multicast group does not employ a single, common group key. Rather, each TI 
server multicasts data to the members of its sub-group using its own group key. This 
independence allows changes in membership of a sub-group to be isolated to the multicast of the 
corresponding TI server (or the GSC for changes in membership of the sub-group at the top- 
level). 

On page 43, the applicant argues that Mittra does not teach or suggest determining a new 
group session key by replicating a branch of the second binary tree when an additional member 
node joins the multicast group. 

The examiner respectfully disagrees. See response above. 

On pages 44 and 45, the applicant argues that Mittra does not teach or suggest the feature 
of representing a plurality of multicast proxy service nodes in a first binary tree, where each node 
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of the first binary tree is associated with a domain of a plurality of domains of a directory service 
that is distributed across a wide-area network. The applicant argues that Mittra does not teach or 
suggest creating and storing a second binary tree in a particular domain of the plurality of 
domains, where the second binary tree represents the plurality of member nodes. 

The examiner respectfully disagrees. See response above. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

6. Claims 1, 2, 4, 6, 10, 12, 15, 16, 20, 23, 24, 31, 34, 38, 42, 47, 48, 51, 54-56, 59 and 81-122 
are rejected under 35 U.S.C. 102(b) as being anticipated by Mittra U.S. Patent No. 
5,748,736. 

As to claim 1, Mittra discloses a method of establishing a secure communication session 
among a plurality of member nodes that participate in a multicast group across a wide area 
network, comprising the steps of: 

receiving information defining a plurality of multicast proxy service nodes 
[column 6 5 lines 3-18], wherein; 

the plurality of multicast service nodes are distributed across the 
wide area network [column 6, lines 3-18]; 
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the plurality of multicast service nodes control when any of the 
plurality of member nodes join or leave the multicast group [column 7, 
lines 28-39]; and 

the plurality of multicast proxy service nodes are logically 
represented by a first binary tree [column 6, lines 3-1 8] , wherein: 

each node of the first binary tree is associated with a 
domain of a plurality of domains of a directory service that is 
distributed across the wide area network [column 6, lines 3-18]; 
and 

each node of the first binary tree is associated with one or 
more multicast proxy service nodes of the plurality of multicast 
proxy service nodes [column 6, lines 3-18]; 
creating and storing a second binary tree that represents the plurality of 
member nodes [column 6, lines 19-38], wherein: 

each of the member nodes of the plurality of member nodes is 
represented by a leaf node of the second binary tree [column 6, lines 19- 
38]; 

the second binary tree is stored in a particular domain of the 
plurality of domains of the directory service that is distributed across the 
wide area network [column 6, lines 19-38]; 
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a root node of the second binary tree represents one or more of the 
multicast proxy service nodes of the plurality of multicast proxy service 
nodes [0131-0135]; and 

each of the member nodes of the plurality of member nodes is 
capable of establishing multicast communication and serving as a key 
distribution center [column 8, lines 3-32]; 

creating and storing a group session key associated with the 
multicast group and a private key associated with each member node of 
the multicast group using secure key exchange [column 8, lines 3-32]; 

when an additional member node joins the multicast group, 
determining a new group session key by replicating a branch of the second 
binary tree [column 8, lines 3-32]. 
As to claims 2, 82 and 103, Mittra discloses that each of the member nodes is associated 
with at least one of the multicast proxy service nodes, wherein each of the multicast proxy 
service nodes acts as one of a plurality of group controllers, further comprising the steps of: 

joining an additional group controller to the plurality of group controllers, 
wherein each group controller of the plurality of group controllers is a replica of 
another group controller of the plurality of group controllers [column 7 line 28 to 
column 8 line 35]; 

establishing, by one of the group controllers, a secure communication 
channel between one of the group controllers and another of the group controllers 
using a key exchange protocol [column 7 line 28 to column 8 line 35]; 
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receiving a request to add or delete a specified member node of the 
multicast group from a load balancer that is coupled to the plurality of group 
controllers [column 7 line 28 to column 8 line 35]; 

creating and storing the new group session key for each member node in 
each branch of the second binary tree that is affected by adding or deleting the 
specified member node from the multicast group [column 7 line 28 to column 8 
line 35]; 

distributing the new group session key from one of the group controllers to 
the member nodes that are affected by adding or deleting the specified member 
node [column 7 line 28 to column 8 line 35]. 
As to claims 4, 83 and 104, Mittra discloses a method wherein distributing a group 
session key further comprises: 

determining that the specified member node is leaving the multicast group 
[column 8 line 36 to column 9 line 12]; 

determining which of the intermediate nodes of the second binary tree are 
affected by the specified member node that is leaving [column 8 line 36 to column 
9 line 12]; 

updating only keys associated with the intermediate nodes that are affected 
by the specified member node that is leaving [column 8 line 36 to column 9 line 
12]; and 
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sending the new group session key to the leaf nodes of the second binary 
tree that correspond to the member nodes that are affected by deleting the 
specified member node [column 8 line 36 to column 9 line 12]. 
As to claims 6, 84 and 105, Mittra discloses a method wherein distributing a group 
session key further comprises: 

receiving a request message from the specified member node to join the 
multicast group [column 7 line 28 to column 8 line 35]; 

determining which of the intermediate nodes of the second binary tree are 
affected by the specified member node that is joining the multicast group [column 
7 line 28 to column 8 line 35]; 

updating only keys associated with the intermediate nodes that are affected 
by the specified member node that is joining [column 7 line 28 to column 8 line 
35]; 

generating a private key for the specified member node that is joining 
[column 7 line 28 to column 8 line 35]; and 

sending a message comprising the new group session key, the private key, 
and the updated keys of intermediate nodes that are affected to the member node 
that is joining [column 7 line 28 to column 8 line 35]. 
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As to claims 10, 85 and 106, Mittra discloses that determining a new group session key 
further comprises the step of computing a group shared secret key at a first member node of the 
plurality of member nodes for use in a public key process and using less than n * (n-1) messages, 
where "n" is a number of member nodes in the multicast group, by the steps of: 

generating an intermediate shared secret key by issuing communications 
to a second member node of the plurality of member [column 9 line 36 to column 
10 line 53]; 

sending a first private value associated with the first member node to the 
second member node, and receiving from the second member node a second 
private value associated with the second member node using the intermediate 
shared secret key [column 9 line 36 to column 10 line 53]; 

generating and communicating a collective public key that is based upon 
the first private value and the second private value to a third member node of the 
plurality of member nodes [column 9 line 36 to column 10 line 53]; 

receiving an individual public key from the third member node [column 9 
line 36 to column 10 line 53]; and 

computing and storing the group shared secret key based upon the 
individual public key [column 9 line 36 to column 10 line 53]. 
As to claims 12, 86 and 107, Mittra discloses that the step of communicating the 
collective public key further comprises determining whether the first member node or the second 
member node transfers the collective public key based upon an order of entry of the first and 
second member nodes into the multicast group [column 9 line 36 to column 10 line 53]. 
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As to claims 15, 87 and 108, Mittra suggests that computing and storing the group shared 
secret key further comprises the steps of computing and storing a group shared secret key value 
"k" at the first member node according to the relation 

k = C ab mod (q) = p abc mod (q) [column 9 line 36 to column 10 line 53] 

wherein: 

C, a, b, c, q, and p are values stored in a memory [column 9 line 36 
to column 10 line 53], 

C is the individual public key [column 9 line 36 to column 10 line 

53], 

a is the first private value of the first member node [column 9 line 
36 to column 10 line 53], 

b is the second private value of the second member node [column 9 
line 36 to column 10 line 53], 

c is a third private value of the third member node [column 9 line 
36 to column 10 line 53], 

p is a base value [column 9 line 36 to column 10 line 53], and 

q is a prime number value [column 9 line 36 to column 10 line 53]. 
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As to claims 16, 88 and 109, Mittra discloses that determining a new group session key 
comprises computing a group shared secret key, each of the member nodes having a private key 
value associated therewith, by the steps of: 

communicating a first public key of a first member node of the plurality of 
member nodes to a second member node of the plurality of member nodes 
[column 7 line 28 to column 8 line 35]; 

creating and storing an initial shared secret key for the first member node 
and the second member node based on a first private key and a second public key 
that is received from the second member node [column 7 line 28 to column 8 line 
35]; 

creating and storing information at the first member node that associates 
the first member node with a first entity by generating a collective public key that 
is shared by the first member node and the second member node, wherein the 
collective public key is based on the first private key and a second private key that 
is derived by the first member node from the second public key [column 7 line 28 
to column 8 line 35]; 

receiving a third public key from a third member node of the plurality of 
member nodes that seeks to join the first entity [column 7 line 28 to column 8 line 
35]; 

creating and storing a final shared secret key based on the collective public 
key and a third public key [column 7 line 28 to column 8 line 35]; 
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joining the first member node to a second entity that includes the first 
entity and the third member node and that uses secure communication with 
messages that are encrypted using the final shared secret key [column 7 line 28 to 
column 8 line 35]. 

As to claims 20, 89 and 110, Mittra suggests a method further comprising the steps of 
creating and storing a subsequent shared secret key for use by the first entity and the third 
member node to enable the third member node to independently compute the group shared key, 
that creating and storing the subsequent shared secret key further comprises the steps of creating 
and storing a subsequent shared secret key value, k, according to the relation 

k - p ( a * x * b ^ c * z ) mod (q) [column 9 line 36 to column 10 line 53] 

where: 

p = a random number [column 9 line 36 to column 10 line 53], 
q = a prime number [column 9 line 36 to column 10 line 53], 
a = the first private key [column 9 line 36 to column 10 line 53], 
b = the second private key [column 9 line 36 to column 10 line 53], 
c = a third private key of the third member node [column 9 line 36 

to column 10 line 53], 

x = a number of times the first member node has participated in 

entity formation [column 9 line 36 to column 10 line 53], 

y = a number of times the second member node has participated in 

entity formation [column 9 line 36 to column 10 line 53], and 



Application/Control Number: 09/728,488 Page 14 

Art Unit: 2131 

z = a number of times the third member node has participated in 
entity formation [column 9 line 36 to column 10 line 53]. 
As to claims 23 , 90 and 111, Mittra suggests that creating and storing the initial shared 
secret key for the first member node and second member node further comprises the steps of 
creating and storing an initial shared public key value "AB" according to the relation 

AB = k ab ab mod (q) = p (ab >< ab > mod (q) [column 9 line 36 to column 10 line 

53] 

wherein k = the initial shared secret key value, a = the first private key 
value, b = the second private key value, p is a base value, and q is a randomly 
generated prime number value [column 9 line 36 to column 10 line 53]. 
As to claims 24, 91 and 112, Mittra discloses a method further comprising the steps of: 

authenticating a first multicast proxy service node with a subset of the 
multicast proxy service nodes of the plurality of multicast proxy service nodes 
that are affected by an addition of the first multicast proxy service node to the 
multicast group, based on key information stored in a directory [column 7 line 28 
to column 8 line 35]; 

wherein authenticating the first multicast proxy service node based on key 
information stored in the directory includes authenticating the first multicast 
proxy service node based on the directory that comprises a directory system agent 
(DSA) for communicating with one or more of the multicast proxy service nodes 
and a replication service agent (RSA) for replicating attribute information of one 
or more multicast proxy service nodes, wherein the attribute information 
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comprises the group session key and the private keys of the one or more multicast 
proxy service nodes [column 7 line 28 to column 8 line 35]; 

receiving a plurality of private keys from the subset of multicast proxy 
service nodes [column 7 line 28 to column 8 line 35]; 

generating a new private key for the first multicast proxy service node 
[column 7 line 28 to column 8 line 35]; 

communicating the plurality of private keys and the new private key to the 
first multicast proxy service node [column 7 line 28 to column 8 line 35]; 

communicating a message to the subset of multicast proxy service nodes 
that causes the subset of multicast proxy service nodes to update their private keys 
[column 7 line 28 to column 8 line 35]; 

distributing the new group session key to all multicast proxy service nodes 
of the plurality of multicast proxy service nodes by: 

creating and storing the new group session key using a particular 

multicast proxy service node of a particular domain of the plurality of 

domains of the directory service, wherein the particular domain is 

associated with the directory [column 7 line 28 to column 8 line 35]; 

replicating the directory [column 7 line 28 to column 8 line 35]; 

and 

obtaining the new group session key from a local multicast proxy 
service node that is a replica of the first multicast proxy service node 
[column 7 line 28 to column 8 line 35]. 
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As to claims 31, 92 and 113, Mittra discloses a method further comprising selectively 
updating the group session key and the private keys by: 

detecting whether a member node of the plurality of member nodes that is 
associated with one of the leaf nodes is leaving the multicast group [0110-0112]; 

determining one or more tree nodes along a tree path in the second binary 
tree that corresponds to the leaving leaf node, wherein the one or more tree nodes 
are affected in response to the detecting step [0110-0112]; 

updating the private keys of the one or more tree nodes [0110-0112]; 
one of the affected intermediate nodes that is a parent node of the leaving 
leaf node generating the new group session key and selectively sending the new 
group session key to all ancestral nodes along the tree path [01 10-01 12]; 

modifying the key information based upon the updated private keys and 
the new group session key [0110-01 12]; and 

generating instructions that distribute the modified key information using 
directory replication [0110-0112]. 
As to claims 34, 93 and 114, Mittra discloses a method further comprising selectively 
updating a group session key and the private keys, wherein the step of selectively updating 
comprises: 

receiving a request message from a new member node to join the multicast 
group [column 7 line 28 to column 8 line 35]; 

determining one or more tree nodes along a tree path in the second binary 
tree that corresponds to a new leaf node in the second binary tree for the new 
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member node, wherein the one or more nodes are affected in response to the 
receiving step [column 7 line 28 to column 8 line 35]; 

updating the private keys of the one or more tree nodes [column 7 line 28 
to column 8 line 35]; 

one of the affected intermediate nodes that is a parent node of the new leaf 
node requesting permission from a root node of the second binary tree to generate 
the new session key and generating the new group session key and a private key 
of the new leaf node [column 7 line 28 to column 8 line 35]; 

modifying the key information based upon the updated private keys, the 
new group session key, and the private key of the new leaf node [column 7 line 28 
to column 8 line 35]; and 

generating instructions that distribute the modified key information using 
directory replication [column 7 line 28 to column 8 line 35]. 
As to claims 38, 94 and 115, Mittra discloses a method further comprising the steps of: 

storing the group session key associated with the multicast group in a 
directory of the directory service [column 7 line 28 to column 8 line 35]; 

authenticating a first multicast proxy service node with a subset of 
multicast proxy service nodes of the plurality of multicast proxy service nodes 
that are affected by an addition of the first multicast proxy service node to the 
multicast group, based on the group session key stored in the directory [column 7 
line 28 to column 8 line 35]; 
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receiving a plurality of private keys from the subset of multicast proxy 
service nodes [column 7 line 28 to column 8 line 35]; 

receiving the new group session key for the multicast group, for use after 
addition of the first multicast proxy service node, from a directory system agent 
(DSA) of a local multicast proxy service node that has received the new group 
session key through periodic replication of the directory by a replication service 
agent (RSA) of the local multicast proxy service node, wherein the RSA is 
signaled to carry out replication by storing an updated group session key in a local 
node of the director [column 7 line 28 to column 8 line 35]; 

communicating the new group session key to the first multicast proxy 
service node [column 7 line 28 to column 8 line 35]; 

communicating a message to the subset of multicast proxy service nodes 
that causes the subset of multicast proxy service nodes to update their private keys 
[column 7 line 28 to column 8 line 35]. 
As to claims 42, 95 and 1 16, Mittra discloses a method further comprising the steps of: 

distributing the group session key to all member nodes of the plurality of 
member nodes by creating and storing the group session key using a particular 
multicast proxy service node of the plurality of multicast proxy service nodes, 
wherein the particular multicast proxy service node is associated with a particular 
domain of the plurality of domains, and wherein the particular domain is 
associated with the directory [column 9 line 48 to column 10 line 53]; 

replicating the directory [column 9 line 48 to column 10 line 53]; and 
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obtaining the group session key from a local multicast proxy service node 
that is a replica of the particular multicast proxy service node [column 9 line 48 to 
column 10 line 53]. 

As to claim 47, 96 and 117, Mittra discloses a method further comprising the steps of: 

associating a plurality of intermediate nodes of the second binary tree with 
a plurality of multicast service agents [column 7 line 28 to column 8 line 35]; 

establishing a secure back channel group among the plurality of multicast 
service agents [column 7 line 28 to column 8 line 35]; 

updating the group session key to all the multicast service agents in the 
plurality of multicast service agents by securely communicating the group session 
key using a secure back channel that is associated with the secure back channel 
group [column 7 line 28 to column 8 line 35]; 

at each intermediate node of the plurality of intermediate nodes, updating 
the group session key of only those leaf nodes that are child nodes of the each 
intermediate node [column 7 line 28 to column 8 line 35]. 
As to claims 48, 97 and 118, Mittra discloses a method further comprising the steps of: 

receiving a request for the group session key from a publisher node that is 
located in a different domain of the plurality of domains from the particular 
domain in which is stored the second binary tree [column 7 line 28 to column 8 
line 35]; 

determining an identifier of the publisher node using a first directory 
service agent that is associated with a particular multicast proxy service node of 
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the plurality of multicast proxy service nodes, wherein the particular multicast 
proxy service node is in the particular domain [column 7 line 28 to column 8 line 
35]; 

. establishing a secure communication channel among the particular 
multicast proxy service node and a directory service agent that is associated with 
a different multicast proxy service node of the plurality of multicast proxy service 
nodes, wherein the different multicast proxy service node is in the different 
domain [column 7 line 28 to column 8 line 35]. 
As to claims 51, 98 and 119, Mittra discloses a method further comprising the step of 
managing removal of a first member node from the multicast group, wherein managing removal 
of the first member node further comprises the steps of: 

creating and storing the group session key associated with the multicast 
group and a private key associated with each member node of the plurality of 
member nodes in a directory [0058-0060]; 

receiving information indicating that the first member node is leaving the 
multicast group [0058-0060]; 

updating all affected keys of a subset of member nodes of the plurality of 
member nodes in a branch of the second binary tree that contains the first member 
node that is leaving [0058-0060]; 

receiving the new group session key for the multicast group, for use after 
removal of the first member node, and a new private key for a parent node of the 
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first member node, from a local multicast proxy service node of the plurality of 
multicast proxy service nodes [0058-0060]; 

communicating a message to the subset of member nodes that causes the 
subset of member nodes to update their private keys [0058-0060]. 
As to claims 54, 99 and 120, Mittra discloses a method further comprising the steps of: 

associating a plurality of intermediate nodes of the second binary tree with 
a plurality of multicast service agents [column 7 line 28 to column 8 line 35]; 

establishing a secure back channel group among the plurality of multicast 
service agents [column 7 line 28 to column 8 line 35]; 

updating the group session key to all the multicast service agents in the 
plurality of multicast service agents by securely communicating the group session 
key using a secure back channel that is associated with the secure back channel 
group [column 7 line 28 to column 8 line 35]; 

at each intermediate node of the plurality of intermediate nodes, updating 
the group session key of only those leaf nodes that are child nodes of the each 
intermediate node [column 7 line 28 to column 8 line 35]. 
As to claims 55, 100 and 121, Mittra discloses a method further comprising the steps of: 

receiving a request for the group session key from a publisher node that is 
located in a different domain of the plurality of domains from the particular 
domain in which is stored the second binary tree [column 9 line 36 to column 10 
line 53]; 
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determining an identifier of the publisher node using a first directory 
service agent that is associated with a particular multicast proxy service node of 
the plurality of multicast proxy service nodes, wherein the particular multicast 
proxy service node is in the particular domain [column 9 line 36 to column 10 line 
53]; 

establishing a secure communication channel among the particular 
multicast proxy service node and a directory service agent that is associated with 
a different multicast proxy service node of the plurality of multicast proxy service 
nodes, wherein the different multicast proxy service node is in the different 
domain [column 9 line 36 to column 10 line 53]. 
As to claims 56, 101, and 122, Mittra discloses a method further comprising the steps of: 

distributing the group session key to all member nodes of the plurality of 
member nodes by creating and storing the group session key using a particular 
multicast proxy service node of the plurality of multicast proxy service nodes, 
wherein the particular multicast proxy service node is associated with a particular 
domain of the plurality of domains, and wherein the particular domain is 
associated with the directory [column 9 line 48 to column 10 line 53]; 

replicating the directory [column 9 line 48 to column 10 line 53]; and 

obtaining the group session key from a local multicast proxy service node 
that is a replica of the particular multicast proxy service node [column 9 line 48 to 
column 10 line 53]. 



Application/Control Number: 09/728,488 Page 23 

Art Unit: 2131 

As to claim 59, Mittra discloses a computer-readable medium carrying one or more 
sequences of instructions for establishing a secure communication session among a plurality of 
member nodes that participate in a multicast group across a wide area network, wherein 
execution of the one or more sequences of instructions by one or more processors causes the one 
or more processors to perform the steps of: 

receiving information defining a plurality of multicast proxy service nodes 
[column 6, lines 3-18], wherein: 

the plurality of multicast service nodes are distributed across the 
wide area network [column 6, lines 3-18]; 

the plurality of multicast service nodes control when any of the 
plurality of member nodes join or leave the multicast group [column 7, 
lines 28-3 9]; and 

the plurality of multicast proxy service nodes are logically 
represented by a first binary tree [column 6, lines 3-18], wherein: 

each node of the first binary tree is associated with a 
domain of a plurality of domains of a directory service that is 
distributed across the wide area network [column 6, lines 3-18]; 
and 

each node of the first binary tree is associated with one or 
more multicast proxy service nodes of the plurality of multicast 
proxy service nodes [column 6, lines 3-18]; 



Application/Control Number: 09/728,488 Page 24 

Art Unit: 2131 

creating and storing a second binary tree that represents the plurality of 
member nodes [column 6, lines 3-18], wherein: 

each of the member nodes of the plurality of member nodes is 
represented by a leaf node of the second binary tree [column 6, lines 3- 
18]; 

the second binary tree is stored in a particular domain of the 
plurality of domains of the directory service that is distributed across the 
wide area network [column 6, lines 3-18]; 

a root node of the second binary tree represents one or more of the 
multicast proxy service nodes of the plurality of multicast proxy service 
nodes [column 6, lines 3-18]; and 

each of the member nodes of the plurality of member nodes is 
capable of establishing multicast communication and serving as a key 
distribution center [column 6, lines 3-18]; 

creating and storing a group session key associated with the multicast 
group and a private key associated with each member node of the multicast group 
using secure key exchange [column 6, lines 3-18]; 

when an additional member node joins the multicast group, determining a 
new group session key by replicating a branch of the second binary tree [column 
6, lines 3-18]. 
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As to claim 81, Mittra discloses an apparatus for establishing a secure communication 
session among a plurality of member nodes that participate in a multicast group across a wide 
area network, the apparatus comprising: 

means for receiving information defining a plurality of multicast 
proxy service nodes [column 6, lines 3-18], that are distributed across the 
wide area network [column 6, lines 3-18] and that are operable to control 
when any of the plurality of member nodes join or leave the multicast 
group [column 7, lines 28-39]; 

means for creating and storing a first binary tree that represents the 
plurality of multicast proxy service nodes [column 6, lines 3-18], wherein: 
each node of the first binary tree is associated with a 
domain of a plurality of domains of a directory service that is 
distributed across the wide area network [column 6, lines 3-18]; 
and 

each node of the first binary tree is associated with one or 
more multicast proxy service nodes of the plurality of multicast 
proxy service nodes [column 6, lines 3-18]; 
means for creating and storing, in particular domain of the plurality of 
domains of the directory service that is distributed across the wide area network, a 
second binary tree that represents the plurality of member nodes [column 6, lines 
3-18], wherein: 
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each of the member nodes of the plurality of member nodes is 
represented by a leaf node of the second binary tree [column 6, lines 3- 
18]; 

a root node of the second binary tree represents one or more of the 
multicast proxy service nodes of the plurality of multicast proxy service 
nodes [column 6, lines 3-18]; and 

each of the member nodes of the plurality of member nodes is 
capable of establishing multicast communication and serving as a key 
distribution center [column 6, lines 3-18]; 

means for creating and storing a group session key associated with the 
multicast group and a private key associated with each member node of the 
multicast group using secure key exchange [column 7 line 28 to column 8 line 
35]; 

means for determining a new group session key by replicating a branch of 
the second binary tree when an additional member node joins the multicast group 
[column 7 line 28 to column 8 line 35]. 
As to claim 102, Mittra discloses a communications system for establishing a secure 
communications session among a plurality of member nodes that participate in a multicast group 
across a wide are network, the communication system comprising: 

a plurality of multicast proxy service nodes that are distributed across the 
wide area network and that are operable to control when any of the plurality of 
member nodes join or leave the multicast group [column 7, lines 28-39]; 
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wherein each of the member nodes of the plurality of member nodes is 
operable to establish multicast communication and to serve as a key distribution 
center [column 7, lines 28-39]; 

first logic encoded in one or more tangible media for execution and when 
executed operable to create and store a first binary tree that represents the 
plurality of multicast proxy service nodes, wherein: 

each node of the first binary tree is associated with a 
domain of a plurality of domains of a directory service that is 
distributed across the wide area network [column 6, lines 3-18]; 
and 

each node of the first binary tree is associated with one or 
more multicast proxy service nodes of the plurality of multicast 
proxy service nodes [column 6, lines 3-18]; 
second logic encoded in one or more tangible media for execution and 
when executed operable to: 

create and store, in a particular domain of the plurality of domains of the 
directory service that is distributed across the wide area network, a second binary 
tree that represents the plurality of member nodes [column 6, lines 3-18], wherein: 

each of the of the member nodes of the plurality of member 
nodes is represented by a leaf node of the second binary tree 
[column 6, lines 3-18]; and 
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a root node of the second binary tree represents one or 
more of the multicast proxy service nodes of the plurality of 
multicast proxy service nodes [column 6, lines 3-18]; 
create and store a group session key associated with the multicast group 
and a private key associated with each member node of the multicast group using 
a secure key exchange [column 7 line 28 to column 8 line 35]; and 

determine a new group session key by replicating a branch of the second 
binary tree when an additional member node joins the multicast group [column 7 
line 28 to column 8 line 35]. 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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